Blocking Android and iOS devices from visiting porn sites



  • I haven't found this problem or solution anywhere else on the forum, so I thought I might share.

    This past week I was tasked by a customer with setting up porn blocking on the customer's network.  I had just recently installed a RCC-VE 2440 device with the latest pfSense.  It seemed like a fairly easy, straightforward request…Set up squid 3 as a transparent proxy, set up Squidguard, import shallaslist and set up blocks.

    It works great on all the windows machines in the building, however I was still able to visit various tube sites when I checked from my phone.  I wracked my brain for a couple of days until I finally figured it out...

    Chrome on android and iOS have a "data saver" feature.  Google, with their near infinite computing power (and wishes to mine infinite amounts of data) have set up compression proxies.  These proxy servers will save bytes on your data plan in return for google knowing everywhere you go on the internet.  They also completely bypass my squidguard rules.

    The solution I found was to create a Target Category and list:

    googlezip.net in the domains box.

    I set the redirect mode to "int blank page".

    I added the targeted category to my common ACL and set it to deny.  Saved and applied the config.

    No more porn on phones.

    YMMV



  • @almabes:

    Set up squid 3 as a transparent proxy, set up Squidguard, import shallaslist and set up blocks.

    This is all I needed to do to get it working (just checked my android tablet and sites are getting blocked) I did not need to set up a Target Category.

    Have you setup squid to block https sites yet?



  • I have not.

    At this point I see too much risk implementing an https proxy at the customer's site.  They're a motorcycle dealership, and have https LOB websites that if I break or make act squirrely they can't sell bikes.

    I haven't had a chance to experiment with https filtering on my 3 lab rats (aged 18, 19, and 21), yet either.

    Are you using data saver on your tablet? 
    Did you enable the block URLs with IPs option?  I have it turned off.  They have a few sites that they access which act goofy with it on.



  • Are you using data saver on your tablet?

    No

    Did you enable the block URLs with IPs option?

    No



  • Ok…hmmm...
    My phone is a KitKat device, running chrome.  I haven't tried it from my Asus tablet yet.

    The source of my info for blocking access to googlezip.net is
    https://support.google.com/chrome/answer/3517349?hl=en

    I'm still curious why my networks/devices have to have the googlezip.net domain blocked and yours do not.



  • @almabes:

    I haven't found this problem or solution anywhere else on the forum, so I thought I might share.

    This past week I was tasked by a customer with setting up porn blocking on the customer's network.  I had just recently installed a RCC-VE 2440 device with the latest pfSense.  It seemed like a fairly easy, straightforward request…Set up squid 3 as a transparent proxy, set up Squidguard, import shallaslist and set up blocks.

    It works great on all the windows machines in the building, however I was still able to visit various tube sites when I checked from my phone.  I wracked my brain for a couple of days until I finally figured it out...

    Chrome on android and iOS have a "data saver" feature.  Google, with their near infinite computing power (and wishes to mine infinite amounts of data) have set up compression proxies.  These proxy servers will save bytes on your data plan in return for google knowing everywhere you go on the internet.  They also completely bypass my squidguard rules.

    The solution I found was to create a Target Category and list:

    googlezip.net in the domains box.

    I set the redirect mode to "int blank page".

    I added the targeted category to my common ACL and set it to deny.  Saved and applied the config.

    No more porn on phones.

    YMMV

    Thx man.

    You save my life.



  • They also completely bypass my squidguard rules.

    If you have it configured correctly, this is impossible unless they're using their cellular data plan.  Android devices do not support WPAD for proxy auto-discovery, so unless you have blocked LAN ports 80/443 then Android will just go direct.



  • @KOM:

    They also completely bypass my squidguard rules.

    If you have it configured correctly, this is impossible unless they're using their cellular data plan.  Android devices do not support WPAD for proxy auto-discovery, so unless you have blocked LAN ports 80/443 then Android will just go direct.

    I think this is because he setup a transparent proxy so HTTPS bypasses the proxy entirely not because the lacking WPAD support. Transparent redirects 80 to proxy port by default.

    Also just to mention it, you can configure the proxy autoconfiguration URL manually now on Android 4+. WPAD is still missing wich is a shame.



  • Yeah I saw that earlier but I figured he must have changed it or he would be facing much larger problems in regard to Android and HTTPS with a transparent proxy.



  • I think paying for a OpenDNS subscription (like $20/year) could be considered in this situation. No need to worry in HTTP o HTTPS or configuring clients if you're using DHCP. The only thing you must do is block DNS queries to other servers in the firewall.

    The main problem with OpenDNS is that you can't segregate between blocked and non blocked clients so to acomplish this you need to setup a local DNS server and the corresponding dhcp reservations and firewall rules.



  • The main problem with OpenDNS is that you can't segregate between blocked and non blocked clients

    You can in a way via firewall rules.  Non-blocked clients can get direct access out via port 53 to whatever DNS they choose.  Blocked clients will have their DNS requests captured and handled by pfSense.